>> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?

>This is like... the textbook definition of a hack.

Perhaps of "hacking FB", but he didn't "hack an account".

I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.

All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.

I don't think has anything to do with saving money. It really seems like a case of trying to take human judgment out of the equation. Strict adherence to rules is easy for bean-counters to push but frequently problematic for dealing with real world situations because rules are never perfect.

Facebook really doesn't need to save $10k by not paying this guy. It's about upholding the terms and not setting a precedent.

The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.